Closed
Bug 1202186
Opened 9 years ago
Closed 9 years ago
Hide password in calls of console.log() and console.error()
Categories
(DevTools :: General, defect)
DevTools
General
Tracking
(firefox43 fixed)
RESOLVED
FIXED
Firefox 43
Tracking | Status | |
---|---|---|
firefox43 | --- | fixed |
People
(Reporter: dragana, Assigned: Gijs)
References
Details
(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main43-])
Attachments
(1 file)
Calls of console.log(...) and console.error(...) will show password in uri. It should be hidden. Bug 1197791 will add GetAnonymousSpec() function to nsIURI to hide the password. It can use this function
Updated•9 years ago
|
Assignee | ||
Comment 1•9 years ago
|
||
Does this still need to happen? AFAICT this has been fixed at the core level?
Flags: needinfo?(dd.mozilla)
Reporter | ||
Comment 2•9 years ago
|
||
If you mean that bug 197791 has fix this. No, it did not fix this problem. console.log() and console.error() do not use nsScriptError. I have open this bug because I do not know this code to decide where is the right place to fix it. The fix is easy if you know the right place.
Flags: needinfo?(dd.mozilla)
Comment 3•9 years ago
|
||
I don't have access to bug 1197791 to see what the fix looks like, but presumably you'd want to make the same changes to Console.cpp.
Assignee | ||
Comment 4•9 years ago
|
||
Bug 1202186 - use nsISensitiveInfoHidden for console methods, r?past
Attachment #8660890 -
Flags: review?(past)
Assignee | ||
Comment 5•9 years ago
|
||
To be clear, I don't know the code here well enough to be sure this is comprehensive enough, but it seemed to work in my very very very limited testing. I also don't know if/which tests are likely to break because of this change.
Comment 6•9 years ago
|
||
Comment on attachment 8660890 [details] MozReview Request: Bug 1202186 - use nsISensitiveInfoHidden for console methods, r?past baku knows this code better than me.
Attachment #8660890 -
Flags: review?(past) → review?(amarchesini)
Comment 7•9 years ago
|
||
Comment on attachment 8660890 [details] MozReview Request: Bug 1202186 - use nsISensitiveInfoHidden for console methods, r?past https://reviewboard.mozilla.org/r/19213/#review17159 lgtm! ::: dom/base/Console.cpp:39 (Diff revision 1) > +#include "nsISensitiveInfoHiddenURI.h" alphabetic order. Move it to line 38. ::: dom/base/Console.cpp:1224 (Diff revision 1) > + event.mFilename.Assign(NS_ConvertUTF8toUTF16(spec)); CopyUTF8toUTF16(spec, event.mFilename);
Attachment #8660890 -
Flags: review?(amarchesini) → review+
Assignee | ||
Comment 8•9 years ago
|
||
remote: https://treeherder.mozilla.org/#/jobs?repo=try&revision=1ac871b9e94d
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Comment 10•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4aa1e0f5013b
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 43
Updated•9 years ago
|
Whiteboard: [adv-main43+]
Updated•9 years ago
|
Alias: CVE-2015-7221
Updated•9 years ago
|
Alias: CVE-2015-7221
Whiteboard: [adv-main43+] → [adv-main43-]
Updated•6 years ago
|
Product: Firefox → DevTools
You need to log in
before you can comment on or make changes to this bug.
Description
•